tor browser bundle

New Tor 0.2.4.17-rc packages

There's a new Tor 0.2.4.17-rc to hopefully help mitigate some of the problems with the botnet issues Tor is experiencing. All packages, including the beta Tor Browser Bundles, have been updated. Relay operators are strongly encouraged to upgrade to the latest versions, since it mostly has server-side improvements in it, but users will hopefully benefit from upgrading too. Please try it out and let us know.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.4.17-beta-1)

  • Update Tor to 0.2.4.17-rc
  • Update NoScript to 2.6.7.1
  • Update HTTPS Everywhere to 4.0development.11

New Tor 0.2.4.16-rc packages and updated stable Tor Browser Bundles

There's a new Tor 0.2.4.16-rc out and all packages, including the beta Tor Browser Bundles, have been updated. The stable Tor Browser Bundles have also been updated to fix a bug in the last release which prevented the language packs from working (which resulted in all of the bundles being in English!). We're very sorry about this.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-12)

  • Re-add the locale pref to the Firefox prefs file to allow for localization
    of bundles again (closes: #9436)

Tor Browser Bundle (2.4.16-beta-1)

  • Update Tor to 0.2.4.16-rc
  • Re-add the locale pref to the Firefox prefs file to allow for localization
    of bundles again (closes: #9436)

Tor Browser Bundle 3.0alpha3 Released

The third alpha release in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive:

https://archive.torproject.org/tor-package-archive/torbrowser/3.0a3

This release includes important security updates to Firefox. Here is the complete ChangeLog:

  • All Platforms:
    • Update Firefox to 17.0.8esr
    • https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...

    • Update Tor to 0.2.4.15-rc
    • Update HTTPS-Everywhere to 3.3.1
    • Update NoScript to 2.6.6.9
    • Improve build input fetching and authentication
    • Bug #9283: Update NoScript prefs for usability.
    • Bug #6152 (partial): Disable JSCtypes support at compile time
    • Update Torbutton to 1.6.1
      • Bug 8478: Change when window resize code fires to avoid rounding errors
      • Bug 9331: Hack a correct download URL for the next TBB release
      • Bug 9144: Change an aboutTor.dtd string so transifex will accept it
    • Update Tor-Launcher to 0.2.1-alpha
      • Bug #9128: Remove dependency on JSCtypes
  • Windows:
    • Bug #9195: Disable download manager AV scanning (to prevent cloud
      reporting+scanning of downloaded files)
  • Mac:
    • Bug #9173 (partial): Launch firefox-bin on MacOS instead of TorBrowser.app
      (improves dock behavior).

As usual these binaries should be exactly reproducible by anyone with Ubuntu and KVM support (though there are some issues in LXC).
To build your own identical copies of these bundles from source code, check out the official repository and use git tag tbb-3.0alpha3-release (commit 49db54d147bd0bccc26f1d4f859cf9fe97e5f14c).

These instructions should explain things from there. If you notice any differences from the official bundles, I would love to hear about it!

Tor Browser Bundle 3.0alpha2 Released

The second alpha release in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive.

In addition to providing important security updates to Firefox and Tor, these release binaries should now be exactly reproducible from the source code by anyone. They have been independently reproduced by at least 3 public builders using independent machines, and the Tor Package Archive contains all three builder's GPG signatures of the sha256sums.txt file in the package directory.

To build your own identical copies of these bundles from source code, check out the official repository and use git tag tbb-3.0alpha2-release (commit c0242c24bed086cc9c545c7bf2d699948792c1e3). These instructions should explain things from there. If you notice any differences from the official bundles, I would love to hear about it!

I will be writing a two part blog series explaining why this is important, and describing the technical details of how it was accomplished in the coming week or two. For now, a brief explanation can be found on the Liberation Technologies mailing list archive.

ChangeLog

  • All Platforms:
    • Update Firefox to 17.0.7esr
    • Update Tor to 0.2.4.14-alpha
    • Include Tor's GeoIP file
      • This should fix custom torrc issues with country-based node restrictions
    • Fix several build determinism issues
    • Include ChangeLog in bundles
  • Windows:
    • Fix many crash issues by disabling Direct2D support for now.
  • Mac:
    • Bug 8987: Disable TBB's 'Saved Application State' disk records on OSX 10.7+
  • Linux:
    • Use Ubuntu's 'hardening-wrapper' to build our Linux binaries

The complete 3.0 ChangeLog now lives here.

Major Known Issues

  1. Windows XP users may still experience crashes due to Bug 9084.
  2. Transifex issues are still causing problems with missing translation text in some bundles

Announcing Tor Browser Bundle 3.0alpha1

Update 2013/6/28: Describe workaround for the Windows d2d1.dll crash.

After almost 6 months of solid development, the Tor Project is proud to announce the first alpha in the 3.0 series of the Tor Browser Bundle!

The 3.0alpha1 bundles are downloadable from the Tor Package Archive.

Release Highlights

Here are the major highlights of the 3.0 series:

  1. Usability, usability, usability!

    We've attempted to solve several major usability issues in this series, including:

    1. No more Vidalia

      The Tor process management is handled by the new Tor Launcher Firefox extension. If you want the Vidalia map and other features, you can point an existing Vidalia binary at control port 9151 after Tor Browser has launched, and it should still work (and even allow you to reconfigure the TBB Tor as a bridge or a relay).

    2. Local homepage with search box

      The browser now uses a local about:tor homepage instead of https://check.torproject.org. A local verification against the Tor control port is still performed, to ensure Tor is working, and a link to https://check.torproject.org is provided from the about:tor homepage for manual verification as well.

    3. Guided Extraction for Windows

      For Windows users, an NSIS-based extractor now guides you through the TBB extraction and ensures the extracted bundle ends up on your Desktop, or in a known location chosen by you (but make sure you have permissions on that location). Hopefully this will mean no more losing track of the extracted bundle files!

  2. Email-sized bundles

    The bundles are all under the 25M gmail attachment size limit, so direct email and gettor attachments are once again possible.

  3. Improved build security and integrity verification
    We now use Gitian to build the bundles. The idea behind Gitian is to allow independent people to take our source code and produce exactly identical binaries on their own. We're not quite at the point where you always get a matching build, but the remaining differences are minor, and within a couple more releases we should have it fully reproducible. For now, we are posting all of the builds for comparison, and you can of course build and compare your own.

Known issues

Of course, being an alpha release (in fact, the first alpha release of this series), we expect these bundles to have some issues. Here's the major user-facing issues that we know about so far:

  1. Crash Issue: Windows Permissions

    On Windows, if you install the bundle to anywhere other than the Desktop, permissions issues can cause the bundles to crash at startup.

  2. Crash Issue: Windows Software Conflict(s)

    There appears to be an issue with direct2d rendering acceleration that affects some video cards, and has a crash report with a module d2d1.dll. The simplest workaround is to right click on 'Start Tor Browser' and select "Properties->Compatibility->Run in Windows XP Compatibility mode".

  3. Extraction: Delete or rename your old TBB directory first!

    These bundles are significantly different than the previous alphas or stable releases. You must not extract this bundle on top of a previous TBB directory, or multiple things will break. If you want to preserve your bookmarks and history, you can do so by copying only the places.sqlite file from your old bundle directory into the new one. The good news is that the elimination of Vidalia should make it much simpler for us to finally deploy an autoupdater, but please bear with us until we can finally complete that important usability work.

  4. Misc: Missing Translations

    Some of the translations strings for the Tor Launcher startup got munged by Transifex. In particular, the Farsi and the German builds both have missing button labels and strings.

If you experience any other issues, please let us know and/or file a bug!

New Tor Browser Bundles with Firefox 17.0.6esr

There is a new Firefox 17.0.6esr out and all of the Tor Browser Bundles (stable and alpha branches) have been updated. The new stable TBBs have a lot of new and updated Firefox patches, so those of you who were experiencing crashes should no longer be seeing that behavior. Please let us know if you do by opening a ticket with details.

The stable Tor Browser Bundles are available at their normal location.

The alpha Tor Browser Bundles are available here.

Tor Browser Bundle (2.3.25-8)

  • Update Firefox to 17.0.6esr
  • Update HTTPS Everywhere to 3.2
  • Update Torbutton to 1.5.2
  • Update libpng to 1.5.15
  • Update NoScript to 2.6.6.1
  • Firefox patch changes:
    • Apply font limits to @font-face local() fonts and disable fallback
      rendering for @font-face. (closes: #8455)
    • Use Optimistic Data SOCKS handshake (improves page load performance).
      (closes: #3875)
    • Honor the Windows theme for inverse text colors (without leaking those
      colors to content). (closes: #7920)
    • Increase pipeline randomization and try harder to batch pipelined
      requests together. (closes: #8470)
    • Fix an image cache isolation domain key misusage. May fix several image
      cache related crash bugs with New Identity, exit, and certain websites.
      (closes: #8628)
  • Torbutton changes:
    • Allow session restore if the user allows disk actvity (closes: #8457)
    • Remove the Display Settings panel and associated locales (closes: #8301)
    • Fix "Transparent Torification" option. (closes: #6566)
    • Fix a hang on New Identity. (closes: #8642)
  • Build changes:
    • Fetch our source deps from an https mirror (closes: #8286)
    • Create watch scripts for syncing mirror sources and monitoring mirror
      integrity (closes: #8338)

    Tor Browser Bundle (2.4.12-alpha-2)

    • Update Firefox to 17.0.6esr
    • Update NoScript to 2.6.6.1

New Tor 0.2.4.12-alpha packages and Tor Browser Bundles

There is a new alpha-release of Tor Browser, based on tor 0.2.4.12-alpha. Alpha versions of Vidalia Bundles and Expert bundles are also updated.

This release also includes a patch to enable optimistic data (PDF) which should significantly speed up your browsing experience. Please give them a try and let us know how they work for you.

You can download the alpha Tor Browser Bundles here.

Tor Browser Bundle (2.4.12-alpha-1)

  • Update Tor to 0.2.4.12-alpha
  • Update Torbutton to 1.5.2
  • Update libpng to 1.5.15
  • Update NoScript to 2.6.6
  • Update PDF.js to 0.8.1
  • Firefox patch changes:
    • Apply font limits to @font-face local() fonts and disable fallback
      rendering for @font-face. (closes: #8455)
    • Use Optimistic Data SOCKS handshake (improves page load performance).
      (closes: #3875)
    • Honor the Windows theme for inverse text colors (without leaking those
      colors to content). (closes: #7920)
    • Increase pipeline randomization and try harder to batch pipelined
      requests together. (closes: #8470)
    • Fix an image cache isolation domain key misusage. May fix several image
      cache related crash bugs with New Identity, exit, and certain websites.
      (closes: #8628)
  • Torbutton changes:
    • Allow session restore if the user allows disk actvity (closes: #8457)
    • Remove the Display Settings panel and associated locales (closes: #8301)
    • Fix "Transparent Torification" option. (closes: #6566)
    • Fix a hang on New Identity. (closes: #8642)
  • Build changes:
    • Fetch our source deps from an https mirror (closes: #8286)
    • Create watch scripts for syncing mirror sources and monitoring mirror
      integrity (closes: #8338)

New Tor Browser Bundles with Firefox 17.0.5esr

All of the Tor Browser Bundles have been updated to the latest Firefox 17.0.5esr.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-6)

  • Update Firefox to 17.0.5esr
  • Update NoScript to 2.6.59

Tor Browser Bundle (2.4.11-alpha-2)

  • Update Firefox to 17.0.5esr
  • Update NoScript to 2.6.59

New Firefox 17.0.4esr and Tor 0.2.4.11-alpha bundles

We've updated the stable and alpha Tor Browser Bundles with Firefox 17.0.4esr and Tor 0.2.4.11-alpha. These releases have numerous bug fixes and a new Torbutton as well.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-5)

  • Update Firefox to 17.0.4esr
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 3.1.4
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"

Tor Browser Bundle (2.4.11-alpha-1)

  • Update Firefox to 17.0.4esr
  • Update Tor to 0.2.4.11-alpha
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 4.0development.6
  • Update PDF.js to 0.7.236
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"

New Tor Browser Bundles with Firefox 17.0.3esr

We've updated all of the bundles with Firefox 17.0.3esr. This includes significant changes to Torbutton and its interaction with Firefox, in addition to many new patches being added to Firefox, which are outlined below.

Very important: if you've been using the Tor Browser Bundles with Firefox 10.0.x, you must not attempt to overwrite it with the new bundle. Open these into their own directory and do not copy any profile material from older TBB versions.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-4)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

The following Firefox patch changes are also included in this release:

  • Isolate image cache to url bar domain (closes: #5742 and #6539)
  • Enable DOM storage and isolate it to url bar domain (closes: #6564)
  • Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere (closes: #5477)
  • Misc preference changes:
    • Disable DOM performance timers (dom.enable_performance) (closes: #6204)
    • Disable HTTP connection retry timeout (network.http.connection-retry-timeout) (closes: #7656)
    • Disable full path information for plugins (plugin.expose_full_path) (closes: #6210)
    • Disable NoScript's block of remote WebFonts (noscript.forbidFonts) (closes: #7937)

Tor Browser Bundle (2.4.10-alpha-2)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)
Syndicate content Syndicate content